Parser

Most recent version: v1.0.1

See the changelog of this Action type here.

Overview

The Parser Action gives structure to and divides a JSON, Key-Value, CSV, Delimited Values, Fixed Length, or XML file into separate fields.

In order to configure this Action, you must first link it to a Listener. Go to Building a Pipeline to learn how to link.

Ports

These are the input and output ports of this Action:

Input ports

Default port - All the events to be processed by this Action enter through this port.

Output ports

Default port - Events are sent through this port if no error occurs while processing them.
Error port - Events are sent through this port if an error occurs while processing them.

Configuration

Find Parser in the Actions tab (under the Transformation group) and drag it onto the canvas.

To open the configuration, click the Action in the canvas and select Configuration.

Enter the required parameters:

Parameter

Description

Select field to parse*

First, choose the field to parse from your input data by typing it in the search bar or selecting it from the list.

Input*

This is where you specify how to read the incoming data:

real_data - This is the data taken directly from the linked Listener.
paste - There may be times when you will receive a file with updated data for the Listener. If this is the case, you can paste it here.

In the Events drop-down, you can write how many events to show in this window.

Now you have specified where to source the data from, you need to determine how to process the events.

Parser*

There are two ways to parse your data:

auto - Automatically parses all key-value fields.
manual - Manually split fields and rename them.

Here you can view the fields as a list, or as code. Each data type has a color. Learn more here.

The language and grammar used to parse is PCL (Parser Configuration Language). We have provided an extensive run-down of each command in this article.

Now that we have decided which field, from where, and how to parse, we need to specify the interpretation of the output for the next action.

Output*

Here you can see the raw message that has been generated.

Below, each individual field is color-coded according to the legend and separated into its type and name.

Here you can change the data type and edit the field name.

For fields containing subfields (field.subfield), changing the field name will change all of the prefixes.

Click Save to complete the process.

Example

Learn how to use the Parser with this example.

We have opened the configuration of the Parser to our Pipeline, which receives data from the linked Listener.

First we must select the field to parse from the Listener to separate into more specific data. This is the field containing the raw data.

In the Input field, select Real data if you feel comfortable with how the Parser works.

Select Paste and paste this log to follow along with us for the various examples of log sources.

A CSV file using "," as a separator

Log to paste

2024-10-02T14:22:03Z,DESKTOP-1234,FileExecution,notepad.exe,4321,JohnDoe,192.168.1.2,a3b5c2d4e6f7,35

Select Auto to automatically parser this data into separate fields.

The parser will automatically parse the log, having recognized the separator. The default values will be fieldName1,2,3 etc.

Now we have decided which field, from where, and how to parse, we need to specify how it is output to the next action. In the output field, we can change the names of each field.

TIMESTAMP
HOSTNAME
EVENT TYPE
PROCESS NAME
PROCESS ID
USERNAME
IP ADDRESS
HASH
THREAT SCORE

A JSON file.

Log:

{"timestamp":"2024-10-02T14:45:15Z","client_ip":"203.0.113.45","http_method":"GET","uri":"/login","response_code":403,"action":"BLOCK","rule_id":"981176","rule_description":"SQL Injection Attempt","user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36","headers":{"host":"example.com","referer":"","x_forwarded_for":"203.0.113.45"},"request_body":"","threat_details":{"attack_type":"SQL Injection","payload":"' OR 1=1 --"}}

Select Auto to automatically parse this data into separate fields.

The parser will automatically parse the log.

Now we have decided which field, from where, and how to parse, we need to specify how it is output to the next action. In the output field, we can change the names of each field.

TIMESTAMP
CLIENT IP
HTTP METHOD
URI
RESPONSE CODE
ACTION
RULE ID
RULE DESCRIPTION
USER AGENT
HEADERS
REQUEST BODY
THREAT DETAILS

Use a key-value file with = to as a separator.

Log to paste

timestamp=2024-10-02T15:00:45Z src_ip=192.168.1.100 dst_ip=203.0.113.45 action=ALLOW protocol=TCP src_port=443 dst_port=54321 bytes_sent=1024 bytes_received=2048 rule_id=1002 threat_level=low

Select Auto to automatically parser this data into separate fields.

The parser will automatically parse the log, having recognized the separator.

Now we have decided which field, from where, and how to parse, we need to specify how it is output to the next action. In the output field, we can change the names of each field.

TIMESTAMP
SOURCE IP
DESTINATION IP
ACTION
PROTOCOL
DST PORT
BYTES SENT
BYTES RECEIVED
RULE ID
THREAT LEVEL

Paste the following sample XML:

<?xml version="1.0"?><Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}"/><EventID>4658</EventID><Version>0</Version><Level>0</Level><Task>12801</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime="2024-11-19T18:02:37.633550600Z"/><EventRecordID>30447483136</EventRecordID><Correlation/><Execution ProcessID="4" ThreadID="10868"/><Channel>Security</Channel><Computer>S1128QRP038.ad.bbva.com</Computer><Security/></System><EventData><Data Name="SubjectUserSid">S-1-5-18</Data><Data Name="SubjectUserName">S1128QRP038$</Data><Data Name="SubjectDomainName">ADBBVA</Data><Data Name="SubjectLogonId">0x3e7</Data><Data Name="ObjectServer">Security</Data><Data Name="HandleId">0x28f4</Data><Data Name="ProcessId">0x566c</Data><Data Name="ProcessName">D:\\APPSYS\\VERITAS\\NetBackup\\bin\\bpbkar32.exe</Data></EventData><RenderingInfo Culture="es-ES"><Message>The handle to an object was closed.    Subject :  \tSecurity ID:\t\tS-1-5-18  \tAccount Name:\t\tS1128QRP038$  \tAccount Domain:\t\tADBBVA  \tLogon ID:\t\t0x3E7    Object:  \tObject Server:\t\tSecurity  \tHandle ID:\t\t0x28f4    Process Information:  \tProcess ID:\t\t0x566c  \tProcess Name:\t\tD:\\APPSYS\\VERITAS\\NetBackup\\bin\\bpbkar32.exe</Message><Level>Information</Level><Task>Registry</Task><Opcode>Info</Opcode><Channel>Security</Channel><Provider>Microsoft Windows security auditing.</Provider><Keywords><Keyword>Audit Success</Keyword></Keywords></RenderingInfo></Event>

Change to manual mode and access the PCL editor by clicking this icon </>. Change string to xml so that the parser can detect the input format.

Then, click Apply changes.

Go back to list mode by clicking the icon at the left corner. Then, select the green text and click Extract all fields.

All the available fields in the input XML will be extracted:

Click Save.

PreviousMath Expression NextPCL (Parser Configuration Language)

Last updated 1 month ago

Was this helpful?